This final posting looks at the impact of what happens when a mobile phone is lost in a BYOD environment and the potential cyber security problems this can present and offers several different solutions law firms and companies can evaluate for addressing this concern.
The third risk seems very low-tech, but it is in some ways the greatest threat. When a phone is lost or stolen, unless the phone’s owner has subscribed to a service that allows remote locking or wiping of the phone’s memory, the stolen device will come equipped with everything from that person’s bank account details to their work computer logins, emails, legal files, family photos….
Unfortunately, most corporate cultures tend to penalize employees when mobile devices are lost or stolen. This often results in a several-day gap as the employee frantically attempts to find the mobile device, hoping they will be able to recover it and relying on the passcode as a barrier. The reality is that today, a passcode key is no barrier. Often the thief need only look at the marks on a screen to replicate a swipe pattern; if that is unsuccessful, he or she cango online and download any one of numerous free tools and guides with which to hack a mobile phone.
There is no magic bullet here to solve this issue and often the solution will vary based on geography, size, culture, industry, technologies, and similar factors. One possible solution is to mandate that all mobile devices used in the workplace have robust encryption.
Another solution is to review and amend existing mobile application(s) and BYOD policies to allow your IT department to track the devices and wipe remotely in certain situations. By incorporating asset tracking into the policy the company will be able to track any device brought into the workplace allowing employers to ensure malware detection software is appropriately installed and updated, as well as, keep track of devices that are potentially carrying proprietary/sensitive information. An employer, by obtaining the “right to wipe,” can avoid potentially expensive legal disputes and respond quickly in the event of a lost or stolen device, assuming that this is permissible in the countries within which you operate. In certain countries there is a constitutional right or culture of privacy that may make implementing such a policy challenging. Here, it is critical that the lawyer advising an organization has a firm grasp of the company culture, the underlying legal issues, the technologies, and the real-world experience in this area of the law.
An often-overlooked but very effective solution is to create a corporate culture that allows for pseudo anonymous reporting, meaning that if a device is lost or stolen, an employee must be able to report the loss without fear of punishment or repercussions. This allows the company to proactively deal with the potential problem and the employee is able to get a new device, a win- win dynamic.
One solution is to implement a company-wide encryption policy for mobile devices; adjust company BYOD policy to allow for asset tracking and remote wiping; and implement a pseudo-anonymous reporting policy framework for lost or stolen devices.
As we look forward into 2014, law firms and companies, big or small, must develop, implement, and deploy BYOD policies that suit their culture, geography, security, and confidentiality needs. There exist several solutions, including: mandatory registration of any device that enters the professional workspace; installation of approved malware detection software on every such device, which should include the ability to remotely wipe a device’s internal storage; anonymous or no-penalty reporting of loss of devices; and the company’s right to wipe said devices in such an event.
Law firms and companies may be hesitant to rock the boat and risk potential backlash that can arise when privacy becomes the focal point of the conversation. While such concerns in certain context can be well founded, it is often not the case. Employers must work to create an environment where employees know that the tools and policies around BYOD are not being used to spy or invade on personal lives, but are being used to protect both the employee and the employer.
One thing is for sure: BYOD is here to stay and organizations, big and small, should work proactively to protect themselves.
* By Daniel B. Garrie, the Senior Managing Partner at Law & Forensics LLC. He focuses on e-discovery, digital forensics, cyber security and warfare, data privacy, and predictive coding, and works with law firms, governments, companies, and non-profits around the globe.